Events and reporting
January 20, 2022
ID 195337
Events
Any Kaspersky Endpoint Security operation generates events. The application administrator can view these events by using the query system.
Kaspersky Endpoint Security notifies users about new events in the following ways:
- If Kaspersky Endpoint Security is managed by Kaspersky Security Center, information about events may be transmitted to the Kaspersky Security Center Administration Server. Kaspersky Endpoint Security administrator can configure the email notifications or script execution when an event is received from the application. For more details about managing reports in Kaspersky Security Center, please refer to the Kaspersky Security Center documentation.
- If the graphical user interface (GUI) is enabled, information about events may be viewed in the reports and in the application pop-ups.
- By using the local query to the Kaspersky Endpoint Security event storage. The application administrator can write the scripts based on the generated events.
To get information about all events in the Storage:
kesl-control -E --query|less
By default, the application stores up to 500 000 events. You can use the less command to navigate through the list of displayed events.
You can use the query system to view specific events. When you create a query, specify the required field, select the comparison operator, and set the required value for it. Value must be specified in the single quotations marks (‘), the whole query must be in the double quotation marks (“):
--query "<field> <comparison operator> '<value>' [and <field> <comparison operator> '<value>' *]"
Event example: Below is the example take of the
|
Query examples: Get all events by the EventType field:
Get all events by the
Get all events produced by the File_Monitoring task after specified point of time:
Date field should be specified in the UNIX time stamp system (the number of seconds that have elapsed since 00:00:00 (UTC), 1 January 1970). |
Reporting
Information about the operation of each Kaspersky Endpoint Security component, the performance of each task, and the overall operation of the application is recorded in reports.
Reports are generated differently depending on the application settings and the use of Kaspersky Security Center:
- All reports are stored in the local application event storage. The event storage is located in the directory specified by the general application setting
EventsStoragePath. By default, the database file in which Kaspersky Endpoint Security saves information about events is located in /var/opt/kaspersky/kesl/events.db. Root privileges are required to access the database of events. - If Kaspersky Endpoint Security is managed by Kaspersky Security Center, information about events may be transmitted to the Kaspersky Security Center Administration Server. For more details about managing reports in Kaspersky Security Center, please refer to the Kaspersky Security Center documentation.
- If the general application setting
UseSysLog=Yes, information about events is also logged to syslog. Root privileges may be required to access syslog. - In the graphical user interface (GUI), the Reports window is available for non-root users only when the general application setting
UIReportsForRootOnlyis set toNo. Otherwise, the Reports window is available only for a root user.
Reports may contain the following user data:
- User name and user ID of the operating system user
- Paths to user files
- IP addresses of the remote computers that are scanned by the Anti-Cryptor task
- IP addresses of senders and receivers of the network packets checked by the Firewall Management task
- Web addresses of the update sources
- General application settings
- Task names and settings
